finding and querying on document metadata · finding and querying on document metadata booz ......
Post on 23-Apr-2018
229 Views
Preview:
TRANSCRIPT
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123
Finding and Querying on
Document Metadata Booz|Allen| Hamilton
Sigint Development Support / SIGINT Technical Analysis (SDS/STA) April 2009
» ^ W 4
TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL//20291123
i I «
TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Document Metadata Agenda
Why to Query on Document Metadata
How to Find Document Metadata • e.g. File - > Properties • Google
How to Create Queries in XKS • XKEYSCORE Document Metadata and PDF
Metadata
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Document Metadata Analysis
What?: Use non-traditional selectors to find and track targets sending/receiving documents of interest How? It targets documents by Author, Organization, or embedded images (logos) Why? We don't always know WHO is sending the documents, but they are "guilty-by-association" if they send/receive the document. So, who are THEY?
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
Finding Document Metadata
ontents
y. Key score Terms
Subject
Author Joe BaggaDonuts
X K E Y S C O R E _ T e r m s . d o c P r o p e r t i e s
® X K E Y S C O R E T e r m s . d o c - M i c ro so f t W o r d
Versions... W e b Pag© P r e v i e w
Properties
Page Setup... Print Preview Print- . . . (~hrl4-P
S T M 4 , S T M 1 6 , S T M 6 4 , m u l t i
1.1 l:yprival"R\anHrRiA».Hnr
2 U ; V • • \ K K E Y 5 C O R E Tip* e i iü Tr h_ks, 4 * |J . . .
3 U : \pri vate\Pré s entati on. do c 4 U :\pri vate\. •.\NIA Cross Training .doc 5 U : \pr iva te^ l \J IA^MSRs\Apr i l 2 0 0 9 . d o c
6 C ; \ D ui_ui i ici lib oí i d Se l l i i iyb- \ . . . E I . dui.
7 U : V • • \NIA\R ITCHI E_DWI_IWP S(r evi s ed). do c 8 U : V.. \XKS_kmkeith_tips7 Apri I. doc 9 U : \ . . . \ Z w a k e n b e r g , Garrii: T r e y I P W S . doc
Hyperlink b a s e :
Template; Normal, dot
Q s a v e preview picture
Edil. V iew Ii lijcrL Furi i idL Tuulb T o b le W i n d u w M e l ^ 5 t : i_ re lAye i iL | Cidi>i>il'
I. ^ - g H ¿ S
Manager:
Category:
Keywords;
New...
Open... Close
Ctrl+O
Save Save As... Save as Web Page... R e m o v e H i d d e n D a t a . . .
Mie b e a r c h . . .
Ctrl- t -5
b e n d I o
Properties
ì m p a n y ;
If unique, these Document Properties can be targeted
2 MF A Zendian MFA|
General Custom
We find "Document Metadata" in File
Exit
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Document Metadata Analysis
How do you find document metadata? • Passive Collection: Collected Documents already
contain data • Active Collection: CNE "Categorized Collection" from
TUNINGFORK Data or Pinwale Queries on "US-3101 • Open Source: Google Hacking
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
5/15/200311:15:21 PM 452 application/rnsword
4 5 2 a p p l i c a t i o n / h i s w o r d
Subject Size(K) Type ~
DESTÖCKPRÖ" 5/15/2003 6:31:35 PM ARRIVAGE G STAR DÖLCE&G ABB AN A DIESEL text/html .corn <l orn>
j.corn" 5/16/2037 9:36:13 PM Confirrnsrtion: Target Card 5/15/200811:14:32 PM text/html
41 -iil.com> 5/15/2008 3:05:25 PM Las Villas de Dubai appl icat ion/octet-stre
application/rnsword 5/15/200811:14:32 PM application/rnsword
appl icat ion/msword
Raw I SMTP header | [Pioperïiesj J ] Control Display original Collected Doc Search Kwd p p I ir: at i ri n /n r t r t - s f r r a r bas
Document Properties Category Company HiddenSlideCount LineCount LinksUpToDate Manager MMCIipCount NoteCount ParagraphCount Presentalo nTarget ScaleCrop SlideCount
Author Charas Comments DateCreated 5/12/2008 3:13:00 A M
SecurityLevel none
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
M u l t i m e d i a ( 1 7 ) ^ M a i l ( 3 5 ) ^ I n s t M s o r ( 9 ) ^ V O I P ( 1 6 4 2 ) ^ , H T N 1
C i p h e r 5 0 1
• Show Pat Excel (2)
Execs (4)
« B l e O i x Ini files (2) Otlier Office (5)
g i bSSQea
« 0c6527
P o w e r p o i n t ( 0 )
Tiuiiìil)S.(ll) (12)
Word (252)
Filename Extension
2 1 - 4 a 6 8 a f 6 4 8 e c 5
:ld-3dffb4d38926
B0-clfedl756266f
Collected
2008-07-19
2008-07-19
2008-03-13
Collection
• Active Collection: CNE "Categorized Collection" from TUNINGFORK Data
No EP user information found. Raw Project Detailsfs3115 only] Mailbox Collection
Last Collect ion [ l imi t 3 da tes 2008-08-29 l isted]: 2008-08-27
2008-07-19 List All Collection
7 .-. 1 7.-. a Tf> . -nni- i- n o c n H ^ i r d n c c • i n n
To find Document Metadata in TUNINGFORK, you must view each Document in Categorized Collection (manual intensive)
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
Fields • Advanced Features T Show Hidden Search Fields Clear Search Values Reload Last Search Values
Search: Document Metadata This query in XKS
Input Source ; F O X A C I D * o r F O X B A S E 1
0 Selected implant exfils f rom active collection (xks-cne.corp.nsa.ic.govixs web db)
Filename
System Admin CV.doc C:,DowiiIofl<ls'PlTysicfll_Layer_iii_RPR_|0402.|)ilf
Extension
doc
Author Authorised User
Input Source
C:Documents and Settings<.Guest'>Desl<1op\05070807jexc elbook.pdf pelf Center For Excelence (Microsoft Word - tf07l341U43l336'3 Produced these results
Cr-Documents and Settingsuiser-DesMop'desktop iconsVenientrack < cloc user
C: D own load sus -3-o ver vie w .pdf I >f If -*öWHWlDER12
C:'Documents and S ettingsuiserDesktop'desktop ¡cons\servers_expi doc results j j c L J i ^ CÌU^ÌM -dl^LC- j i W e * '
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
Using XKEYSCORE to query on CNE data
TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Finding Document Metadata
Open Source: Google Hacking T ' i l A d v a n c e d S e a r c h S e arch T ip Help
s ite : co m s at s. n et. pktil ety p e : d o c Google Search
Search by domains • "site:comsats.net.pk" Search by file types • "filetype:pdf" or "filetype:doc"
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
How to find Document Metadata NEVER collected a document
when
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Document Metadata Analysis Take Client's (Active User) IP address and query
on it in XKEYSCORE
Search! Document Metadata
Extension: pptor doc or pdf orxls
Active User: IP Address: 39. Either v
yahoo.com
A C T I V E J t f S E R A C T I V E U S E R I P .
< jraho 8
| < yahoo>
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
• Use XKEYSCORE to Find Who Else is sending the files?
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Document Metadata Analysis Take "File Properties" information and fill-in qu
XKEYSCORE_Terms.doc Properties
General Summary Statistics Contents Custom
Title:
Subject:
Author:
Manager:
Company:
XKey score Terms
Joe BaggaDonuts
Z M F A Z e n d i a n M R A !
Category:
Keywords:
Comments:
Hyperlink base:
Template: Norma I. dot
O Save preview picture
OK Cancel
Document Type:
Encrypted?:
Corrupted?:
Filename:
Extension:
*Sub jec t * :
* Creat ion T ime* :
t Modif ied T ime* :
* Unique I&\[fulltextl :
Author :
Last Au thor :
Organization:
Title:
Language:
* Comment* rfulltextl:
Fi le /Embedded Image Hash r fu l l tex t l :
Me tada ta Name:
M e t a d a t a Value [ fuHtext ] :
Joe BaggaDonuts
ZMFA Zendian M FA
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Document Metadata Analysis Sample Query
Sample Query:
Organization = PTCL
To/From Country = Pakistan
Language:
* Comment* rfulltextl: File/Embedded Image
H a s h [ f u j j t e x t ] :
Metadata Name:
Metadata Value f f u i l t e x t l :
IP Address:
IP Address:
Port:
Port:
From V
To V
From V
To V
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
Document Metadata Analysis Sample Query (Results)
Previous Slide produces these results
Filename / Organization
Instructions to Ktuiar province bidders community midwifeiy. floe PTCL \
Instructions to Kuiiar province bidders community midwifery.doc PTCL /
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
• Turn a logo into a selector
mf
YemerL t The Gateway of Yemen C^i^
mf
YemerL t The Gateway of Yemen C^i^
= SIGINT VALUE
mf
YemerL t The Gateway of Yemen C^i^
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Embedded Images XKEYSCORE parses out logos from within documents (PDFs, DOCs, Outlook Emails, etc) embedded as images
H ! 2 # 1 m 80.6% Find
Oj
Logo/Image 32-character hash can be parsed out and queried.
« m u y m a s L o . CLO-X-PLOJI c i l S * . « » ! ! Ä L J I U I ^ J U P : ^ O J ^ O A J I
u L i ^ l l ^ L O J J » W l fJUÜ
; IfliLo J £ j á j o L x l l o L l é o O L J L . ö j ^ S j u J I O IS j j uLJ I á J s b u , o ï l f -1 f j j o ^ l ÒJ.LÓJÜ'L
o l k ^ U J I |OJUl l
¿SjjJÎ « JQJuvcJ 1
MB L2 On Chip Cache per Processor 2* System Controller Card 1*
Solaris 10 03/05 HW1 Operating System P reinstall ed*
MD S
Sun Fire V490 Server « . i
Sun Fire V490 Server
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Embedded Images
Files often contain embedded images, such as company logos
ä y OJUDI I ^fJI J jUii^Ui t-xjjjj'iI Ü jL t iü U l j J
ADSL ^ ^ Wy
I Ö* t i I j U ^ I H t i i j ! I j I A Ä j I i i i i » r ^ i j | H t
VPN Clients Configuration Examplf I -if •<-—
LBta IS 12/1*200* 2007 '-¿yXi
GPRS TLLI
Step 1 : Identify if a document HAS an image in it
; liv ITE. 31 SI S Abdullah Mohammed
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
Embedded Images
Step 2: Open Document and click on "Full Session
Q u i c k C l i c k s % Retrieving Atta eh rn e n t , , .
635ed0657cfe25b7790f
b3d7853e4bfde70874cf
Session Header (3) Attachments (6) Meta (3)
Case Notation From IP
YM.PGQXXXABDDTC
- • >
Dateti m e
2009-03-26 1 5 : 5 4 : 5 0
Sess ion
Attachments
sigint
i m a g e _ s u m m a r y _ m o n t
irnage_surnrnary_rn
îfc document_meta
- -¿ i c:_docurnents and ?
? unknown
Q ? text
? docurnent_body . - ^ j
? docurnent_body.*j) y
image
b3d7S53e4 b fde7087
of f ice
C: \Documents and i
b l Find oppos i te s ide of sess
:0 : 0
Find More Docs wi th S a m t
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Embedded Images Session Header (3) Attachments (6) Meta (3)
TTT
AUTO I Send to: D o w n l o a d ' S è s s i o n W | Mode: Full Session | Options ™ | Search Con
« Quick C l icks
?£< Session
d Attachments
b l ^ s i g i n t
a ! ^ i m a g e _ s u m m a r y _ m o n t | U s j n g I M A G E f o r m a ^
image_summary_mi t
E) document_rneta
c:_documents and s ^
• ? unknown
3 ? tex t
? documen t_body . - ^ j
? document_body.° j )
a [ * ) image a Q » * g
: b3d7853e4bfde708
c l ^ Ì r office
a T p d f
"Jfc" C: \Documents and S
3 V <
a One-Click Searches
Find opposite side of sessi
: 0 - >
Step 3: In left-side menu bar, select an image and copy/paste the 32-character name (without the extension)
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
Embedded Images
@ O Classic A-M h 0 ASF and WMV Metadata ;••• 0 Alert |-El0lackBerry |-0CNE
Call Logs Category DWI
0 Cellular DNI ¡ 2 Cisco Passwords S Document Metadata
fV i r - i imprrf T s n r t i n n
Step 4: Paste the 32-eharacter name into the "File/Embedded Image Hash" Field in the Document Metadata query
Fields • Advanced Features • Show Hidden Search Fields Clear Search Values Reload Last Search Values
Search: Document Metadata
File/Embedded Image Hash rfulltextl:
b3d7853e4btìe70874d402e3d6de10
Step 5: Select all of your good collection sites + SUBMIT!
Search Databases
Clear Checks
Reset Checks
0 (xks-central.corp.nsa.ic.gov:qsummary)
0 Austral ian sites ( xkcen t ra l2 ,dsd:xs_web_db)
0 CARBOY (carboy-proxy,rl.r.nsa:carboy_web_db)
0 CARDAMON (xkey-dsd.rl.r.nsa:xs_web_db)
S u b m i t C a n c e l ]
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
Session Header (3) Attachments (6) Meta (4)
AUTO
Q u i c k C l i c k s ^ i i i i dye_sun i i i i d r ^_n iu i i ( .dye. j ( jey ^
• ^ document_meta c:_docurnents and 5ettirig5_u5uari(
• ? unknown B ? text
? document_body .SOLICITANTE .txt El ¡TCp] office
• ¡ST] word j - @ C:\Documents and SettingsVisuari
• Find opposite side of session
: 0
• Find More Docs wi th S a m e hash
j a 9 7 d S 2 d 0 6 a a a 9 0 1 7 c a c b e 5 f e 4 b l 2 f l 5 c
! ebd01ba02b7c087a91bd f29o4
Or You can one-click query to create a new query
Search ; Document Metadata
Query Name; One-click search on document hash: McG353
Justification:
Additional Justification:
Miranda Number:
One-click search to find more documents with
t _ a i l y u a y c .
* Comment* [fuNtext]:
File/Embedded Image Hash ffulltextl: Mc6353ebd01 ba02b7c087a91 bdf29c4
Î d 5 û e a 6 2 9 b a 8 9 9 f 9 b 9 0 9 1
: ac f45e5 f466d6ed99e484d377
a Find ema i l address
7r\ Wimm i5) hntrn a i I .nn rn
TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
TO P S EC RET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
Embedded Images Stand-alone files can be uploaded into XKS and images parsed out • Useful for TAO collection that didn't get into XKS
(non United Rake) • httDs://xks-'Garit[ral..coro..osajc.Jao¥/aeneral/¥i©w file,oho
This sys tem is auc CLASSIF ICAT ION: TOI
XKEYSC /ou can upload S O T F and D -124 f i l es , as wel l as j u s t r a ndom f i les ( . doc , .ppt, e t c . )
U p l o a d Fi le I 1 Browse... 1
This sys tem is auc CLASSIF ICAT ION: TOI
To task the hex values for images in CADENCE or Query in PIN WALE, contact The Xtreme Target Pursuit Team
S2I7 ar i ^HS3114 TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL
top related